Advice Request COMODO blocks Windows Updates with error 0x80070005

[Andy Ful]

I conducted a test in VirtualBox with the fresh Windows 11 23H2 installation (default Admin account) upgraded via updates to Windows 11 25H2.
The upgraded system (A) did not have any third-party applications and only several Windows Updates.

Next, I created the snapshot (B) of (A), and installed CIS Premium with default settings on (B).

Then, I disabled Antivirus, Firewall, Auto-Containment, VirusScope, and Website Filtering (system (B) restarted).
Finally, I tried to download and update the system (B). Both updates were downloaded, and installation was started. One update was installed successfully, but the second failed (KB5067036) with error 0x80070005.

Finally, I tried to update the initial system (A). All updates were installed successfully.

This is an example that CIS, even with disabled shields, can rarely cause Windows Update failure.

 

[Pico]

Meaning that you cannot disable CIS protection by simply disabling all CIS protections components.
If you would like to stop CIS completely than you have to stop CIS running services / processes or do CIS uninstall.

 

[Andy Ful]

Meaning that you cannot disable CIS protection by simply disabling all CIS protections components.
If you would like to stop CIS completely than you have to stop CIS running services / processes or do CIS uninstall.

It is rather obvious. However, the problem is that disabling all protection layers via the CIS GUI is still insufficient for unproblematic updating.
This also suggests that any CIS settings can sometimes cause problems with Windows Updates.

 

[TheMalwareMaster]

I conducted a test in VirtualBox with the fresh Windows 11 23H2 installation (default Admin account) upgraded via updates to Windows 11 25H2.
The upgraded system (A) did not have any third-party applications and only several Windows Updates.

Next, I created the snapshot (B) of (A), and installed CIS Premium with default settings on (B).

Then, I disabled Antivirus, Firewall, Auto-Containment, VirusScope, and Website Filtering (system (B) restarted).
Finally, I tried to download and update the system (B). Both updates were downloaded, and installation was started. One update was installed successfully, but the second failed (KB5067036) with error 0x80070005.

View attachment 292708

Finally, I tried to update the initial system (A). All updates were installed successfully.

This is an example that CIS, even with disabled shields, can rarely cause Windows Update failure.

That's a great job from your side, thank you!!! So the update failed also with default settings?

P.S. - it seems like only "cumulative updates" fail from my tests

 

[Andy Ful]

That's a great job from your side, thank you!!! So the update failed also with default settings?

It failed when CIS was in default settings and all protection layers were disabled/deactivated.

 

[Pico]

CIS doesn't like the Windows update service updating its update service.

 

[Andy Ful]

I conducted a test in VirtualBox with the fresh Windows 11 23H2 installation (default Admin account) upgraded via updates to Windows 11 25H2.
The upgraded system (A) did not have any third-party applications and only several Windows Updates.

Next, I created the snapshot (B) of (A), and installed CIS Premium with default settings on (B).

Then, I disabled Antivirus, Firewall, Auto-Containment, VirusScope, and Website Filtering (system (B) restarted).
Finally, I tried to download and update the system (B). Both updates were downloaded, and installation was started. One update was installed successfully, but the second failed (KB5067036) with error 0x80070005.

View attachment 292708

Finally, I tried to update the initial system (A). All updates were installed successfully.

This is an example that CIS, even with disabled shields, can rarely cause Windows Update failure.

For fun, I conducted a similar test with CIS Proactive config (enabled protection layers). The result surprised me. All updates were successful (including KB5067036)!
So, I decided to repeat the test with default settings and disabled protection layers. No surprise this time. The update KB5067036 failed again with error 0x80070005.

Yes, this is very strange. Why does the disabled default protection cause the Windows Update error, and another enabled protection not?

 

[Pico]

HIPS hiccup HIPS

 

[Andy Ful]

HIPS hiccup HIPS

The updates were successful with enabled HIPS (Proactive configuration) and active protection layers. So, HIPS is not a problem in this case.
It seems that disabling protection layers in CIS can sometimes have a negative impact on Windows Updates, which is completely counterintuitive.

 

[Pico]

The updates were successful with enabled HIPS (Proactive configuration) and active protection layers. So, HIPS is not a problem in this case.
It seems that disabling protection layers in CIS can sometimes have a negative impact on Windows Updates, which is completely counterintuitive.

On the contrary, enabling HIPS allow the update to pass because there are rules for it that allow it.
Try to disable HIPS (delete also all HIPS rules) in the proactive config and try updating again, I'm really curious what happens than.

 

[Andy Ful]

On the contrary, enabling HIPS allow the update to pass because there are rules for it that allow it.
Try to disable HIPS (delete also all HIPS rules) in the proactive config and try updating again, I'm really curious what happens than.

I do not think so.
Here are the results of all my tests so far:
Internet Security config (HIPS disabled by default) ---> all updates were OK.
Internet Security config (HIPS disabled by default) + all security layers disabled ---> update failed.
Proactive setup (HIPS enabled) ---> all updates were OK.
Proactive setup (HIPS enabled) + all security layers disabled ---> update failed.

So, whenever all protection layers were disabled, the updates failed (independently of enabled or disabled HIPS).

 

[TheMalwareMaster]

I do not think so.
Here are the results of all my tests so far:
Internet Security config (HIPS disabled by default) ---> all updates were OK.
Internet Security config (HIPS disabled by default) + all security layers disabled ---> update failed.
Proactive setup (HIPS enabled) ---> all updates were OK.
Proactive setup (HIPS enabled) + all security layers disabled ---> update failed.

So, whenever all protection layers were disabled, the updates failed (independently of enabled or disabled HIPS).

I'll try to re-enable the HIPS, you reminded me I have just changed this setting. Before, I have always used the product with HIPS ON...

 

[Andy Ful]

I'll try to re-enable the HIPS, you reminded me I have just changed this setting. Before, I have always used the product with HIPS ON...

You probably used the Safe HIPS setting. Did you have any problems with Windows Updates before the current problem?

 

[TheMalwareMaster]

You probably used the Safe HIPS setting. Did you have any problems with Windows Updates before the current problem?

Yes, I used HIPS in safe mode. Will try to turn them on again. No, no issue when HIPS was ON and no issue with windows update before the current problem

 

[Pico]

Proactive setup (HIPS enabled) + all security layers disabled ---> update failed.

Just for correct understanding, you wrote "Proactive setup (HIPS enabled) + all security layers disabled" was HIPS OFF or ON during this test?

 

[Andy Ful]

Just for correct understanding, you wrote "Proactive setup (HIPS enabled) + all security layers disabled" was HIPS OFF or ON during this test?

When you first set the Proactive config and then disable all protection layers by using the Comodo icon on the System Tray, then two modules are still shown as enabled: HIPS and Script Analysis. However, I do not know for sure if they work normally.

Post edited.

 

[cruelsister]

Script Analysis. However, I do not know for sure if they work normally.

Script Analysis will only function with Containment enabled. It is not independent of it.

 

[Andy Ful]

Script Analysis will only function with Containment enabled. It is not independent of it.

Script Analysis still works, but the script will not be contained. The effect of this work can be seen when HIPS is in Paranoid Mode (script blocked).
When HIPS is in Safe mode, the script will mainly run unrestricted (some actions can be blocked by HIPS).

 

[Pico]

When you first set the Proactive config and then disable all protection layers by using the Comodo icon on the System Tray, then two modules are still shown as enabled: HIPS and Script Analysis. However, I do not know for sure if they work normally.

Post edited.

Can you please redo the Windows update test with default Proactive setup and only disable HIPS in the GUI and delete all HIPS rules from the HIPS rules list (leave all other protections at their default Proactive state)?

 

[cruelsister]

Script Analysis still works, but the script will not be contained. The effect of this work can be seen when HIPS is in Paranoid Mode (script blocked).
When HIPS is in Safe mode, the script will mainly run unrestricted (some actions can be blocked by HIPS).

Yes and No. Actually the best way to have an idea of what occurs is by placing Comodo in Silent mode. Then one can switch between HIPS at both Safe and Paranoid Mode with Script Analysis on or off. The same can be done with Containment and Script Analysis.

Here is a batch file that plops a text file on the Desktop where the differences can be easily (and safely) seen:

@echo off
(
echo Test file
echo via batch script
echo Date: %date%
echo Time: %time%
) > "%USERPROFILE%\Desktop\CruelText.txt"
echo Text file with content created on desktop!
pause


Save above as whatever.bat